Documentation

Open ID Authentication

Introduction

The Zend_Auth_Adapter_OpenId adapter can be used to authenticate
users using remote OpenID servers. This authentication method assumes that the user
submits only their OpenID identity to the web application. They are
then redirected to their OpenID provider to prove identity ownership
using a password or some other method. This password is never provided to
the web application.

The OpenID identity is just a URI that points to a web site
with information about a user, along with special tags that
describes which server to use and which identity to submit there.
You can read more about OpenID at the
» OpenID official site.

Note:
Zend_OpenId takes advantage of the » GMP extension, where available. Consider
enabling the GMP extension for better performance when using
Zend_Auth_Adapter_OpenId.

Specifics

As is the case for all Zend_Auth adapters, the
Zend_Auth_Adapter_OpenId class implements
Zend_Auth_Adapter_Interface, which defines one method:
authenticate(). This method performs the authentication itself,
but the object must be prepared prior to calling it. Such adapter preparation includes
setting up the OpenID identity and some other Zend_OpenId
specific options.

However, as opposed to other Zend_Auth adapters,
Zend_Auth_Adapter_OpenId performs authentication on an external
server in two separate HTTP requests. So the
Zend_Auth_Adapter_OpenId::authenticate() method must be called
twice. On the first invocation the method won't return, but will redirect the user to
their OpenID server. Then after the user is authenticated on the remote server, they
will be redirected back and the script for this second request must call
Zend_Auth_Adapter_OpenId::authenticate() again to verify the
signature which comes with the redirected request from the server to complete the
authentication process. On this second invocation, the method will return the
Zend_Auth_Result object as expected.

The following example shows the usage of
Zend_Auth_Adapter_OpenId. As previously mentioned, the
Zend_Auth_Adapter_OpenId::authenticate() must be called two
times. The first time is after the user submits the HTML form with
the $_POST['openid_action'] set to "login",
and the second time is after the HTTP redirection from OpenID server
with $_GET['openid_mode'] or
$_POST['openid_mode'] set.

You may customize the OpenID authentication process in several way.
You can, for example, receive the redirect from the OpenID server on a separate page,
specifying the "root" of web site and using a custom
Zend_OpenId_Consumer_Storage or a custom
Zend_Controller_Response. You may also use
the Simple Registration Extension to retrieve information about
user from the OpenID server. All of these possibilities are described
in more detail in the Zend_OpenId_Consumer
chapter.